We have you by the gadgets 

Hitting your OS below the belt 
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Thank you: 

Itzik Kotler, FX, Ian Amit, Jayson Street, 
SophSec, Wim Remes, Aviv Raff, Gal Diskin 
#include <full list.h> 



What are Gadgets 




A little bit of histor 



Windows XP - Concept first introduced as 
"Active Desktop" 

o Allowed you to put updating content on your desktop 

Vista - Sidebar introduced, first mention of 
"gadgets" 

o Gadgets ran in the sidebar "container" couldn't be placed 
randomly on the desktop 

Windows 7 - significant changes 

o Improvements in management: 

o Gadgets now can be anywhere on the desktop 

o All gadgets run in a single process 

o Addition of the enterprise security features 

o Also - New stuff to help in development 



Why this still m 



• Gadget use is in decline 

• But! This style of app devel 
off 

o Container-based apps for smartphones that allow you 
to do all your dev in HTML, XML, Javascript, etc... 



Windows Vista Sidebar 




Windows 7 Gadgets 




Creating Gadgets 



• Usually just a 
web app 

o html 

o ess 

o javascript 
o gadget specific 
manifest file 

• Can also be WPF 
or Silverlight 



Name 


Type 


JJ CSS 


File folder 


Images 


File folder 


js 


File folder 


§] about.html 


HTML Document 


fly out. html 


HTML Document 


d gadget.html 


HTML Document 


**\ gadget.xml 


XML Document 


[gj nyancat.gif 


GIF image 


,d\ NyanCat.mp3 


MP3 Format Sound 


dj settings.html 


HTML Document 



Gadget Security Model 



MSFT provides a detailed explanation 



(see references) 



Code signing is possible but not required 

Prompt for install similar to standard 
applications: 



Windows Sidebar - Security Warning 

The publisher coutd not be verified. Are you sure you wart to 
install this gadget? 

Name: DigitalClockpL], gadget 

Publisher: Unknown Publisher 



This file does not have a valid digital signature that verifies its 
publisher. You should only run software from publishers you 
trust. How can [ decide what software to run? 



Gadget Security Model 



Most similar to HTA - HTML Applications 

Basically run in "Local Machine Zone" with 
some differences: 

o Can instantiate any installed ActiveX object 
o UAC 

■ Runs as standard user even if the user is part of 
the admin group 

■ Can't raise UAC prompts BUT! apps launched by a 
gadget can 

Parental Controls apply 



Gadget Security Model 



Some enterprise controls available 

o Turn off Windows Sidebar. 

o This policy allows administrators to completely 
disable the Windows Sidebar. 

o Disable unpacking and installation of gadgets that are 
not digitally signed. 

■ Only affects gadgets that are downloaded and 
installed by double-clicking on the gadget 
package. All previously installed gadgets, as well 
as those installed manually, will still function. 

o Turn off user-installed gadgets. 

o Override the "Get more gadgets online" link. 



Attack Surface 

* Attacking with gadget 
> Attacking gadgets 



Attacking with gadgets 

• Delivery: 

o Install this gadget? Sure! 

• Sidebar gadgets aren't perceived as being 
dangerous software or even software at all 




Attacking with gadgets 



• So I installed your gadget, so what? 

• I can't do much, just this: 
o Execute code 

■ Game over 

• Also: 

o Open URLs 

o Create files with arbitrary content 
o Read files 

o Make your computer speak 



Attacking Gadgets 



Gadgets are code. Therefore gadgets are 
vulnerable 

Step 1 - Search for gadgets 
Step 2 - Analyze 
Step 3 - ... 

Step 4 - Profit (and share the findings) 



Attacking Gadgets 



• LOTS of malware claiming to be gadgets 

• Minimal use of SSL 

• Lots of ad server connections (no ads 
displayed) 

o And domain parking sites 

• A couple primary producers, shared code 
between gadgets 

o If you find something in one, it's probably in the others 
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Attacking Gadgets 



• Poor security practices, easy targets 

o Multiple ways to inject code 
o Default Permissions is "full" 
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Attacking Gadgets - Traffic Sniffing 

• SSL is haaaaard 

• All downloaded gadgets pulled most of their 
content w/o SSL 

• Including updated gadget code in some 
cases 
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Attacking Gadgets - MitM 



There are not many gadgets out there, 
capturing their requests is simple. (AirPwn) 

Using a custom simple proxy to automate 
injection. 

Demo 



Attacking Gadgets - Code Injection 

• Any web scripting language 

o Or powershell 

• Demo 
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What to do about it? 

* Code is code 

o Remember not to take candy from str£ 

' Write applications properly 
> Microsoft's solution 



Microsoft Solution 



•Security Advisory 2719662 

• "Microsoft is aware of vulnerabilities in insecure Gadgets affecting 
the Windows Sidebar on supported versions of Windows Vista and 
Windows 7" 

•Fix It Solution ^ 

• Engineering solution that removes the attack vector, fyf.f * 

•Moving away from the Windows Sidebar and 
towards the Windows Store. 

• Deprecated the Windows Gadget Gallery 

• Updated developer documentation 



Prior Work 



- 



Standing on the shoulders of giants 
• CVEs 



o CVE 2007-3032 
o CVE 2007-3033 
o CVE 2007-3891 



Presentations 

o The Inherent Insecurity of Widgets and Gadg< 
Aviv Raff, Ian Amit 

o Jinx - Malware 2.0 - Itzik Kotler, Jonathan Rom 
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